Re: RACF and public keys
Awesome, thanks for sharing in advance. We did get the key to work finally... it was a permissions issue! Thanks all!!! -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Kirk Wolf Sent: Thursday, March 02, 2017 10:01 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF and public keys FYI, we will be presenting a SHARE session next week on this subject: *Finding the Needle in a Haystack - Diagnosing Common OpenSSH Problems* - Room: Blossom Hill I,II - Session Number: 20125 Thursday, March 09, 2017: 10:00 AM - 11:00 AM http://events.share.org/Winter2017/Public/SessionDetails.aspx?FromPage=Sessions.aspx=1900=20 For this particular issue (file permissions), see slide 45 of the presentation Kirk Wolf Dovetailed Technologies http://dovetail.com On Wed, Mar 1, 2017 at 2:29 PM, Paul Gilmartin < 000433f07816-dmarc-requ...@listserv.ua.edu> wrote: > On Wed, 1 Mar 2017 13:00:08 -0700, Jack J. Woehr wrote: > > >Mark Post wrote: > >> If you don't mind them accessing your system in this way (I have > >> severe > doubts about that), just put the key as-is into the target userid's > .ssh/authorized_keys file and have them give it a try. > > > >And make sure the dir .ssh is chmod 700 and the authorized_keys file > >is > chmod 600 or it won't work. > > > I believe .ssh chmod 711 works and I find it convenient for co-workers > to add me to their public_keys file. But I keep my authorized_keys > file 600 rather than 644 -- no need to support browsing. > > and (grand*)parent directories must not be writeable by anyone except > owner. > > -- gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF and public keys
FYI, we will be presenting a SHARE session next week on this subject: *Finding the Needle in a Haystack - Diagnosing Common OpenSSH Problems* - Room: Blossom Hill I,II - Session Number: 20125 Thursday, March 09, 2017: 10:00 AM - 11:00 AM http://events.share.org/Winter2017/Public/SessionDetails.aspx?FromPage=Sessions.aspx=1900=20 For this particular issue (file permissions), see slide 45 of the presentation Kirk Wolf Dovetailed Technologies http://dovetail.com On Wed, Mar 1, 2017 at 2:29 PM, Paul Gilmartin < 000433f07816-dmarc-requ...@listserv.ua.edu> wrote: > On Wed, 1 Mar 2017 13:00:08 -0700, Jack J. Woehr wrote: > > >Mark Post wrote: > >> If you don't mind them accessing your system in this way (I have severe > doubts about that), just put the key as-is into the target userid's > .ssh/authorized_keys file and have them give it a try. > > > >And make sure the dir .ssh is chmod 700 and the authorized_keys file is > chmod 600 or it won't work. > > > I believe .ssh chmod 711 works and I find it convenient for co-workers to > add me to their public_keys file. But I keep my authorized_keys file 600 > rather than 644 -- no need to support browsing. > > and (grand*)parent directories must not be writeable by anyone except > owner. > > -- gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF and public keys
On Wed, 1 Mar 2017 13:00:08 -0700, Jack J. Woehr wrote: >Mark Post wrote: >> If you don't mind them accessing your system in this way (I have severe >> doubts about that), just put the key as-is into the target userid's >> .ssh/authorized_keys file and have them give it a try. > >And make sure the dir .ssh is chmod 700 and the authorized_keys file is chmod >600 or it won't work. > I believe .ssh chmod 711 works and I find it convenient for co-workers to add me to their public_keys file. But I keep my authorized_keys file 600 rather than 644 -- no need to support browsing. and (grand*)parent directories must not be writeable by anyone except owner. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF and public keys
Mark Post wrote: If you don't mind them accessing your system in this way (I have severe doubts about that), just put the key as-is into the target userid's .ssh/authorized_keys file and have them give it a try. And make sure the dir .ssh is chmod 700 and the authorized_keys file is chmod 600 or it won't work. -- Jack J. Woehr # Science is more than a body of knowledge. It's a way of www.well.com/~jax # thinking, a way of skeptically interrogating the universe www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF and public keys
Thanks Mark and Allan! -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Post Sent: Wednesday, March 01, 2017 2:41 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF and public keys >>> On 3/1/2017 at 02:04 PM, Tracy Adams <tad...@fbbrands.com> wrote: > I have a vendor that sent me a "public" key so they can SFTP into our > mainframe from a Linux box without have to supply the RACF password. > Yes they can sign in with a password and all works fine. I am new to > RACF and loading keys and the whole SFTP / ssh thing so bear with me! > > When I look at the key provided it starts off with this "ssh-rsa > B3NzaC1yc2EBI" The doc I have found from Dovetail for > Co:z indicates to get the .pub file into a MVS dataset in "text" > format then do a RACDCERT ADD command and then point to the RACF > keyring in $HOME/.ssh/authorized_keys. The RACDCERT command fails > indicating "The input data set does not contain a valid certificate." > And the DEBUG option provides no additional information. > > I am thinking I must have done something wrong getting the file from > Windows email to the mainframe... I simply used SFTP to move it from > c:\temp and I have tried both ASCII (looks good) and BINARY (looks binary). > > Is the .pub file simple in the wrong format for RACF and needs to be > converted? I'm pretty sure the public key they provided you was not intended to be used in conjunction with RACF (or any other ESM). That looks like a "plain old ssh" public key. If you don't mind them accessing your system in this way (I have severe doubts about that), just put the key as-is into the target userid's .ssh/authorized_keys file and have them give it a try. Mark Post -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF and public keys
>>> On 3/1/2017 at 02:04 PM, Tracy Adamswrote: > I have a vendor that sent me a "public" key so they can SFTP into our > mainframe from a Linux box without have to supply the RACF password. Yes > they can sign in with a password and all works fine. I am new to RACF and > loading keys and the whole SFTP / ssh thing so bear with me! > > When I look at the key provided it starts off with this "ssh-rsa > B3NzaC1yc2EBI" The doc I have found from Dovetail for Co:z > indicates to get the .pub file into a MVS dataset in "text" format then do a > RACDCERT ADD command and then point to the RACF keyring in > $HOME/.ssh/authorized_keys. The RACDCERT command fails indicating "The input > data set does not contain a valid certificate." And the DEBUG option provides > no additional information. > > I am thinking I must have done something wrong getting the file from Windows > email to the mainframe... I simply used SFTP to move it from c:\temp and I > have tried both ASCII (looks good) and BINARY (looks binary). > > Is the .pub file simple in the wrong format for RACF and needs to be > converted? I'm pretty sure the public key they provided you was not intended to be used in conjunction with RACF (or any other ESM). That looks like a "plain old ssh" public key. If you don't mind them accessing your system in this way (I have severe doubts about that), just put the key as-is into the target userid's .ssh/authorized_keys file and have them give it a try. Mark Post -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF and public keys
The ".pub" file represents the public key and is simply an ASCII text file. It should be transferred as a text file. It needs to eventually end up in /"userid"/ssh/authorizedkeys (not sure of the spelling, it's in the doc) for the "userid" being used on the MF side. Beware. The permissions must be set appropriately or SFTP simply will not function. RACDCERT in the context of SFTP is used as a "container" to hold a public/private key pair. This is a different context than RACDCERT for the "e-commerce" market. Since you don't have a private key involved, this is overkill. For a great overview see http://www.dovetail.com/webinars.html In particular " IBM Ported Tools for z/OS: OpenSSH - Using Key Rings" And IBM Ported Tools for z/OS: OpenSSH - Key Authentication HTH, -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tracy Adams Sent: Wednesday, March 1, 2017 1:04 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: RACF and public keys I have a vendor that sent me a "public" key so they can SFTP into our mainframe from a Linux box without have to supply the RACF password. Yes they can sign in with a password and all works fine. I am new to RACF and loading keys and the whole SFTP / ssh thing so bear with me! When I look at the key provided it starts off with this "ssh-rsa B3NzaC1yc2EBI" The doc I have found from Dovetail for Co:z indicates to get the .pub file into a MVS dataset in "text" format then do a RACDCERT ADD command and then point to the RACF keyring in $HOME/.ssh/authorized_keys. The RACDCERT command fails indicating "The input data set does not contain a valid certificate." And the DEBUG option provides no additional information. I am thinking I must have done something wrong getting the file from Windows email to the mainframe... I simply used SFTP to move it from c:\temp and I have tried both ASCII (looks good) and BINARY (looks binary). Is the .pub file simple in the wrong format for RACF and needs to be converted? Any help would be greatly appreciated! Tracy -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ::DISCLAIMER:: The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
RACF and public keys
I have a vendor that sent me a "public" key so they can SFTP into our mainframe from a Linux box without have to supply the RACF password. Yes they can sign in with a password and all works fine. I am new to RACF and loading keys and the whole SFTP / ssh thing so bear with me! When I look at the key provided it starts off with this "ssh-rsa B3NzaC1yc2EBI" The doc I have found from Dovetail for Co:z indicates to get the .pub file into a MVS dataset in "text" format then do a RACDCERT ADD command and then point to the RACF keyring in $HOME/.ssh/authorized_keys. The RACDCERT command fails indicating "The input data set does not contain a valid certificate." And the DEBUG option provides no additional information. I am thinking I must have done something wrong getting the file from Windows email to the mainframe... I simply used SFTP to move it from c:\temp and I have tried both ASCII (looks good) and BINARY (looks binary). Is the .pub file simple in the wrong format for RACF and needs to be converted? Any help would be greatly appreciated! Tracy -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN